• Aucun résultat trouvé

Models and algorithms for managing quality of context and respect for privacy in the Internet of Things

N/A
N/A
Protected

Academic year: 2021

Partager "Models and algorithms for managing quality of context and respect for privacy in the Internet of Things"

Copied!
261
0
0

Texte intégral

(1)

HAL Id: tel-01259261

https://tel.archives-ouvertes.fr/tel-01259261

Submitted on 20 Jan 2016

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come from

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de

and respect for privacy in the Internet of Things

Samer Machara Marquez

To cite this version:

Samer Machara Marquez. Models and algorithms for managing quality of context and respect for privacy in the Internet of Things. Software Engineering [cs.SE]. Université Paris-Saclay, 2015. English. �NNT : 2015SACLL005�. �tel-01259261�

(2)

Th`

ese de Doctorat

de l’Universit´

e Paris-Saclay,

pr´epar´ee `

a Telecom SudParis

´

Ecole Doctorale N

° 580

Sciences et Technologies de l’Information et de la Communication

Sp´

ecialit´

e : Informatique

Par

Samer MACHARA MARQUEZ

Models and Algorithms for Managing Quality

of Context and Respect for Privacy in the

Internet of Things

Th`ese pr´esent´ee et soutenue `a ´Evry, le 17 Novembre 2015 Composition du jury :

M. Antoine Beugnard Professeur `a T´el´ecom Bretagne Rapporteur Mme Michelle Sibilla Professeur `a l’Universit´e Toulouse 3 Rapporteur Mme Isabelle Demeure Professeur`a T´el´ecom ParisTech Examinateur

(3)
(4)

I would like to express my sincere gratitude to my advisors Prof. Chantal Taconet and Sophie Chabridon for the continuous support of my Ph.D study and research, for their patience, and immense knowledge. Their guidance helped me in all the time of research and writing of this thesis.

Besides my advisors, I would like to thank the rest of my thesis committee: Prof. Antoine Beugnard, Prof. Michelle Sibilla, and Dr. Isabelle Demeure, for their interest in my work.

I thank my fellow labmates in for the stimulating discussions, and for all the fun we have had in the last four years.

I thank my friends Troy, Ender, Carina, Jay, Gustavo, Ernesto, Willy, Sebastien, and Glenda. I am lucky to have met they here, and I thank them for their friendship, love, support and encouragement to finish my thesis.

Last but not the least, I would like to thank my family for their constant love and supporting me spiritually throughout writing this thesis and my life in general.

(5)
(6)

With her support and love, she gave me the force to ended my Ph.D.

(7)
(8)

L’Internet des Objets (IdO) est un nouveau paradigme, dont l’idée de base est de connecter un grand nombre d’objets de façon ubiquitaire. Ces objets sont capables d’interagir les uns avec les autres et de coopérer avec leurs voisins en partageant des données acquises directement en mesurant certains faits. Tout cela, afin d’atteindre des objectifs communs [Giusto et al., 2010]. Cette information ne représente pas seulement l’état des utilisateurs, mais aussi les processus dans lesquels ils sont impliqués, on appelle cela le Contexte. Le Contexte fournit des informations à la fois pour la reconnaissance des opérations nécessaires et leur traduction vers les services disponibles en fournissant une vue structurée et unifiée du monde dans lequel un système fonctionne [Coutaz et al., 2005].

Avec l’IdO, de nombreuses applications récupèrent des informations de contexte concernant les util-isateurs (propriétaires de contexte) tels que leurs habitudes, leurs comportements ou leur état émotion-nel. Ceci offre alors beaucoup d’avantages aux utilisateurs, mais aux dépends de leur intimité. La problématique de recherche de cette thèse se situe dans la vision orientée sémantique de l’IdO proposée par [Atzori et al., 2010] considérant comment représenter, stocker, organiser et explorer les informations générées par l’IdO. Cette vision privilégie l’exploitation des solutions de modélisation pour intégrer la notion de sécurité de la vie privée dans l’IdO.

Les applications et services (consommateurs de contexte) qui sont sensibles au contexte, attendent des données de contexte correctes et fiables afin d’adapter leurs fonctionnalités [Filho, 2010]. Dans cette thèse, la qualité de Contexte (QoC) est une métadonnée qui est associée aux informations de contexte. Elle décrit une série de critères exprimant la qualité de l’information de contexte. Ces métadonnées peuvent être utilisées pour déterminer la valeur de l’information pour une application particulière dans une situation particulière. Nous explorons des solutions intergicielles pour intégrer la gestion de la vie privée et de la QoC dans l’IdO.

Cette thèse se distingue des autres recherches du domaine de la gestion de contexte en tenant compte du découplage entre les participants de l’IdO, à savoir les propriétaires des informations de contexte et les consommateurs de ces informations de contexte. De plus, nous considérons la QoC comme un facteur affectant la vie privée des individus.

Synthèse des contributions

Cette thèse fournit les contributions suivantes selon deux axes:

• Axe 1 : Concevoir un méta-modèle de contrat de contexte pour définir la vie privée et la QoC pour exprimer les préoccupations des propriétaires et des consommateurs de contexte.

Cette conception est basée sur deux points : Premièrement, nous considérons que la vie privée est la capacité des propriétaires de contexte à contrôler quoi, comment, quand, où et avec qui partager des informations. Par conséquent, nous identifions quatre dimensions de la vie privée (le but, la visibilité, la rétention, la QoC), pour les utiliser au moment de la définition des politiques et des

(9)

Nous proposons un modèle de contrat conforme à la Loi des Etats-Unis de 1974 sur la protec-tion de la vie privée et aux lois européennes concernant la protecprotec-tion des renseignements person-nels [OECD, 1980,EU, 1995,EU, 2002]. Nous définissons deux types de contrats de contexte :

1. Les contrats de production de contexte définissent les clauses pour la production de don-nées de contexte avec des exigences de confidentialité (indiquant les exigences des proprié-taires de contexte avant d’accepter de fournir des données de contexte) et des garanties de QoC (établissant les garanties que le producteur de contexte est prêt à remplir en ce qui concerne la QoC).

2. Les contrats de consommation de contexte définissent les clauses de consommation de données avec des exigences de QoC (indiquant le niveau de QoC que le consommateur attend afin de permettre l’exécution d’une application), et des garanties de confidentialité (indiquant les garanties proposées par le consommateur afin de protéger la vie privée des propriétaires des informations de contexte).

Dans cette thèse, la « confiance » est une probabilité subjective par laquelle un individu A (fidu-ciant) attend qu’une autre personne B (fiduciaire) effectue une action déterminée de façon fiable et en toute sécurité dans une situation donnée avec un sentiment de sécurité relative, même si des conséquences négatives sont possibles.

La QoC et la vie privée sont liées à la notion de « confiance », mais sous deux angles différents. Du point de vue du producteur de contexte, la priorité doit être accordée au respect de la vie privée. Si un consommateur de contexte n’est pas digne de confiance, une plus stricte confidentialité est souhaitée. Du point de vue du consommateur de contexte, une qualité d’information élevée est attendue à partir de sources dignes de confiance. Dans le cas contraire, d’éventuelles erreurs peuvent se produire.

La solution présentée dans cette thèse décrit le méta-modèle de contrat pour les consommateurs de contexte et les producteurs de contexte que nous avons proposé pour le cadricielMUCONTEXT défini dans le cadre du projet ANR INCOME1. Chaque type de contrat de contexte est créé sans connaître l’autre partie. Afin de faire correspondre ces deux types de contrats, il est important d’inclure le paramètre de « confiance » permettant à chaque partie d’assouplir ses exigences. Ce méta-modèle définit les éléments de protection de la vie privée, les informations de QoC et le contexte lui-même impliqués lors de l’activation des règles d’accès aux données de contexte. La notion de contrat augmente le sentiment de sécurité et développe la confiance entre les parties, parce que des limites claires sont établies entre ce qu’une partie attend et ce qu’elle est prête à faire pour l’autre partie. Notre méta-modèle est conçu pour être simple à utiliser tout en préservant l’expressivité nécessaire. Ceci est important car les utilisateurs peuvent comprendre et mettre en 1

(10)

tels que [Taconet et al., 2009].

• Axe 2 : Proposer un algorithme pour créer des accords entre les producteurs et les consommateurs de contexte en évaluant et en comparant les exigences et les garanties indiquées sur leurs contrats de contexte respectifs.

Comme les deux parties en présence, producteurs et consommateurs d’informations issues de l’IdO, ont des contrats symétriques, quand un participant définit ses besoins, l’autre définit ses garanties. Le processus de correspondance de ces contrats de contexte vérifie si les exigences de l’une des parties sont couvertes dans les garanties offertes par l’autre partie. Par conséquent, pren-dre une décision basée sur cette compatibilité du point de vue du producteur, conduit à fournir ou non des données contextuelles. Du point de vue du consommateur, l’accès à des données de contexte est autorisé ou refusé. A partir de cette définition, nous avons conçu des algorithmes pour déterminer si la fourniture et la consommation sont autorisées ou non, selon la correspondance entre les contrats de contexte.

Afin de valider notre approche dans un cadre opérationnel, nous comparons la performance de notre solution par rapport à une solution basée sur le standard XACML pour la définition de politiques de con-trôle d’accès. Nous définissons une procédure de traduction pour transformer les contrats de contexte au format XACML afin d’appliquer notre algorithme pour les implémentations existantes de XACML avec un minimum de modifications. Nous pouvons donc intégrer notre méta-modèle ainsi que l’algorithme de traduction de contrat dans les cadriciels de l’IdO existants ou futurs. Nous avons choisi XACML car il possède toutes les caractéristiques pour exprimer les éléments de nos contrats et aussi pour sa popu-larité. Les détails sur notre choix sont explicités dans la section2.7. Afin de valider notre méta-modèle de contrat et l’algorithme d’appariement, nous avons réalisé une étude de cas et mis en œuvre l’entité correspondant au "Point de Décision de la Politique" de XACML (PDP) pour évaluer les contrats traduits. L’étude de cas que nous proposons est divisée en mini-scénarios correspondant à chaque besoin considéré dans cette thèse (voir la section4.3). Nous illustrons les raisons pour lesquelles la QoC est nécessaire pour atteindre les objectifs d’un système, comment la QoC affecte la vie privée et les cas où la confiance contribue à améliorer la QoC reçue. De cette étude de cas, nous extrayons quelques exemples précis où les objectifs de l’application ne peuvent pas être atteints en raison d’une QoC insuffisante. De plus, nous montrons comment une augmentation de la QoC demandée peut compromettre la vie privée.

Les méta-modèles de contrat proposés sont bénéfiques à la fois pour définir des contrats, et aussi pour automatiser la gestion de la livraison des informations de contexte avec la QoC appropriée et une protection de la vie privée satisfaisante. En ce qui concerne le premier avantage, les contrats fournissent un catalogue des contraintes et des modèles pertinents et utiles pour construire des applications sensibles au contexte, considérant que les propriétaires de contexte définissent et adaptent indépendamment des règles de confidentialité. Concernant le second avantage, les contrats de production sont disponibles à l’exécution et peuvent être modifiés à tout moment par les propriétaires de contexte. Ces modèles de contrats offrent ainsi une approche globale afin de correspondre dynamiquement aux exigences et aux

(11)

données contextuelles provenant de l’environnement, et l’organisation des participants. De plus, concer-nant la protection de la vie privée, il devient possible de garantir le bon fonctionnement des applications en prenant en compte la gestion de la QoC et ainsi de favoriser la confiance entre les participants de l’IdO.

Plan du document

Après l’introduction du travail de cette thèse dans le premier chapitre, le présent document est divisé en deux parties et une conclusion. La première partie (chapitres 2 et 3) présente les concepts généraux, les fondamentaux et l’état de l’art liés à l’IdO, la QoC, la notion de confiance, et le respect de la vie privée. La deuxième partie (chapitres 4, 5, 6 et 7) de ce travail, présente nos contributions liées aux contrats de QoC et de vie privée entre producteurs et consommateurs de données de contexte dans le cadre de l’IdO. À cet effet, nous proposons un méta-modèle spécifique pour l’IdO et un middleware pour mettre en correspondondance les contrats de production et de consommation de contexte. Ce document est organisé en sept chapitres, en plus de l’introduction, comme décrit ci-dessous.

• Le Chapitre 2 présente une étude et une analyse d’un ensemble de concepts clés (c.-à-d l’IdO, la QoC, la confiance et la vie privée), puis introduit les technologies (langages et cadriciels), les paradigmes (notion de contrat) et les lois relatifs au sujet de cette thèse. Ce chapitre présente également la liste des critères de protection de la vie privée que nous avons sélectionnés pour comparer les travaux connexes.

• Le Chapitre 3 étudie plusieurs modèles et cadriciels existants pour la protection de la vie privée et la gestion de la QoC au sein de l’IdO. Nous étudions en particulier s’ils considèrent les questions suivantes identifiées pour l’IdO : le découplage entre les producteurs et les consommateurs, la ges-tion de la confiance et la manipulages-tion d’événements dynamiques. Ce chapitre résume différentes solutions qui ont contribué à la définition de la vie privée et à l’identification de ses différentes dimensions. En outre, ce chapitre montre que certains travaux de recherche proposent d’inclure QoC et respect de la vie privée dans les systèmes sensibles au contexte. Enfin, le chapitre montre la conformité de chaque solution proposée avec la liste des critères de protection de la vie privée que nous avons introduite dans le chapitre 2.

• Le Chapitre 4 présente un cas d’utilisation en guise d’illustration. De ce cas d’utilisation, nous extrayons les exigences concernant la gestion de la vie privée et de la QoC dans l’IdO. Nous présentons également l’architecture proposée pour la gestion des contrats de QoC et de respect de la vie privée.

• Le Chapitre 5 présente notre contribution pour la modélisation des contrats dans le cadricielMU -CONTEXT. Nous avons suivi une approche dirigée par les modèles pour formaliser une représen-tation standard pour l’expression des exigences et garanties côté producteur et côté consommateur de contexte. Enfin, ce chapitre décrit l’évaluation des contrats utilisant MUCONTEXT par une approche qualitative.

(12)

teurs.

• Le Chaptitre 7 présente l’approche suivie pour traduire les contratsMUCONTEXT en politiques XACML. Grâce à cette approche, un contrat MUCONTEXT peut être manipulé par un standard bien connu concernant le contrôle d’accès et la protection de la vie privée.

• Le Chapitre 8 conclut la thèse en synthétisant les contributions de notre travail et propose plusieurs perspectives de poursuite de ce travail.

Mots-clés: Internet des Objets (IdO), Vie privée , Qualité de contexte (QoC), Contrats, Ingénierie dirigée par les modèles (IDM).

(13)

The Internet of Things (IoT) is a novel paradigm, which basic idea is the pervasive presence around us of a variety of things or objects that are able to interact with each other and cooperate with their neighbors by sharing data, directly acquired by measuring some facts, in order to reach common goals [Giusto et al., 2010]. This information not only represents the state of users but also the processes in which they are involved, this is called the Context. The context informs both the recognition and mapping of operations onto available services by providing a structured, unified view of the world in which a system operates [Coutaz et al., 2005].

With the IoT, many applications consume context information concerning users (context owners) such as, daily routines, behaviors, health or emotional state, offering lots of benefits to users, but com-promising their privacy. The research problematic of this thesis lies within the “semantic-oriented” IoT vision proposed by [Atzori et al., 2010]) considering issues related to how to represent, store, organize, and search information generated by the IoT. This vision favors the use of appropriate modeling solutions for integrating privacy protection into the IoT.

Context-aware applications and services (context consumers) expect correct and reliable context data to adapt their functionalities [Filho, 2010]. In this thesis, the Quality of Context (QoC) corresponds to meta-data attached to context information describing a range of criteria that express context informa-tion quality. These meta-data can be used to determine the worth of the informainforma-tion for a particular application in a particular situation. We explore middleware and framework solutions to integrate the management of privacy and QoC in the IoT.

This thesis can be distinguished from other context management domain researches by bearing in mind the decoupling of the IoT participants, i.e., the owners of context information and the consumers of this context information. Moreover, we consider QoC as a factor affecting the privacy of individuals. This thesis provides the following contributions along two axis:

• axis 1 Designing a Context Contract Meta-model to define privacy and QoC concerns of decou-pled context owners and context consumers based on reciprocal trust. This meta-model has been proposed for theMUCONTEXTframework in the ANR INCOME2project.

This design is based on two points. Firstly, we consider that privacy is the capacity of context owners to control what, how, when, where and with whom to share information. Therefore, we identify four privacy dimensions (purpose, visibility, retention, QoC), and use them in the defini-tion of access policies and obligadefini-tions. Secondly, context consumers expect a certain QoC level in order to perform their tasks. We then propose to define two kinds of context contract for the producer and the consumer sides as follows:

1. A Context producer contract has clauses expressing the production of context data, privacy requirements, and QoC guarantees;

2. A Context consumer contract has clauses expressing the consumption of context data, QoC requirements, and privacy guarantees.

2

(14)

requirements, which is the Trust. In this thesis, trust is a subjective probability by which an individual A (trustor), expects or believes that another individual B (trustee), performs a given action dependably, securely, and reliably in a given situation within a specified context with a feeling of relative security, even though negative consequences are possible.

Both QoC and privacy are related to the notion of trust, but from two different perspectives. From a context producer point of view, priority must be given to the respect of the privacy. If a context consumer is not trustworthy, a strict privacy is desired. From a context consumer point of view, a piece of context information of high quality is expected from trustworthy sources. If not, possible errors might occur.

• axis 2 Proposing an algorithm to create agreements among context producers and context sumers by evaluating and compare requirements against guarantees, stated on their respective con-text contracts.

As both IoT participants have symmetric contracts, when one participant defines its requirements, the other one defines its guarantees. The matching process of these context contracts verifies if the requirements of one party are included within the guarantees offered by the other party. Therefore, taking a decision based on this compatibility match from the producer point of view is to permit or deny the access to context data. Additionally, from a consumer point of view, the consumption of context data is permitted or denied. From this definition, we designed algorithms to determine whether access and consumption are authorized or not, according to the context contracts matching.

In order to validate our approach in an operational setting, we evaluate the performance of our solution making a comparison with contracts based on the XACML standard for access control. We create a translation procedure to transform context contracts into the XACML format. This allows to apply our algorithm to existing implementations of XACML with minimal modifications.

(15)
(16)

Chapter 1 Introduction

1.1 Motivation and Problem Description . . . 1

1.2 Research Goal and Sub-Goals . . . 3

1.3 Approach . . . 4

1.4 Contributions . . . 4

(17)

Part I Fundamentals and State of the Art on Privacy, QoC, Trust and contracts for the IoT

Chapter 2 Fundamentals and Models of Privacy, QoC, Trust and Contract for the IoT 9

2.1 Introduction . . . 10

2.2 Internet of Things (IoT) . . . 10

2.2.1 IoT Paradigm Vision . . . 11

2.2.2 Enabling Technologies . . . 12

2.2.3 Open Issues . . . 12

2.3 Quality of Context (QoC) . . . 13

2.3.1 QoC Definition . . . 13

2.3.2 QoCIM : A new QoC Meta-model . . . 13

2.4 Trust . . . 17

2.4.1 Trust Definition . . . 17

2.4.2 A Trust Meta-model . . . 18

2.5 Privacy and how to Protect it . . . 19

2.5.1 What Privacy Is Not . . . 19

2.5.2 Privacy Definition . . . 19

2.5.3 Privacy Taxonomy Background . . . 21

2.5.3.1 Purpose . . . 23

2.5.3.2 Visibility . . . 23

2.5.3.3 Retention . . . 24

2.5.3.4 Granularity . . . 24

2.5.4 Privacy Protection Criteria . . . 25

2.5.5 Principles and Actions . . . 26

2.5.5.1 Consent . . . 26

2.5.5.2 Access Control and Authentication vs Anonymity . . . 26

2.5.5.3 Limiting Collection, Purpose, Use, Retention, and Disclosure . . . 28

2.5.5.4 Security and Sensitive Information . . . 28

2.5.5.5 “Openness, Accuracy and Integrity” vs. Obfuscation . . . 28

2.5.6 Proposed Privacy Protection Criteria List . . . 29

(18)

2.7 Privacy Policy Languages . . . 32

2.7.1 P3P - Platform for Privacy Preferences . . . 32

2.7.2 EPAL - Enterprise Privacy Authorization Language . . . 33

2.7.3 SAML - Security Assertion Markup Language . . . 34

2.7.4 XACML - eXtensible Access Control Markup Language . . . 35

2.7.5 Conclusion . . . 36

2.8 Conclusion . . . 37

Chapter 3 State of the Art of Models and Frameworks for Privacy and QoC Management in the IoT 39 3.1 Introduction . . . 39

3.2 Obligation of Trust Protocol (OoT Protocol) . . . 40

3.3 PrimeLife policy engine (PPL Engine) . . . 42

3.4 The User-Centric Privacy Framework (UCPF) . . . 45

3.5 Family of Context-Based Access Control Models . . . 48

3.6 SensorSafe and Obfuscation Frameworks . . . 51

3.7 Context-Based Trust and Privacy Management . . . 54

(19)

Part II Contributions -MUCONTEXTContracts

Chapter 4 Motivations, Requirements and Architecture to Manage Privacy and QoC in

the IoT 61

4.1 Introduction . . . 61

4.2 Motivating Scenario . . . 62

4.3 Requirements Analysis . . . 63

4.3.1 Context Situation Requirements . . . 63

4.3.2 QoC Concern Requirements . . . 64

4.3.3 Privacy Concern Requirements . . . 64

4.4 Proposed Architecture . . . 65

4.4.1 Coarse Grain Architecture . . . 66

4.4.1.1 Primary Presentation of the Architecture . . . 66

4.4.1.2 Catalogue of Elements . . . 68

4.4.2 View “Component” . . . 69

4.4.2.1 INCOME architecture layers and components . . . 69

4.4.2.2 Catalogue of Elements . . . 71

4.4.3 View “Dynamic” and matching process . . . 72

4.5 Requirements Summary . . . 75

4.6 Conclusion . . . 76

Chapter 5MUCONTEXTContract Meta-model to define Privacy and QoC concerns 79 5.1 Introduction . . . 80

5.2 Contracts between Producers and Consumers . . . 80

5.2.1 MUCONTEXTContracts in the IoT Architecture . . . 80

5.2.2 Two Types of Context Contract . . . 81

5.2.3 Context Contract Dimensions . . . 83

5.3 MUCONTEXTContract Meta-Model . . . 85

5.3.1 Definitions . . . 85

5.3.2 Producer Contract . . . 87

5.3.3 Consumer Contract . . . 88

5.3.4 PrivacyTerm and QoCTerm classes . . . 89

(20)

5.4.2 Visibility Meta-model . . . 94

5.4.3 Retention Meta-model . . . 97

5.4.4 QoC dimension . . . 99

5.5 MuContext Contract Meta-Model Validation . . . 101

5.5.1 Validation through Bike4All Use Case . . . 101

5.5.2 Implementation ofMUCONTEXTContracts . . . 102

5.5.3 Producer and ConsumerMUCONTEXTContracts for Bike4All . . . 104

5.5.4 MUCONTEXTContracts vs Requirements . . . 113

5.5.4.1 Handling constantly evolving context data (R1) . . . 113

5.5.4.2 Handling evolutive requirements on QoC (R2) . . . 113

5.5.4.3 Privacy Policy Language that supports QoC definitions (R3) . . . 114

5.5.4.4 Evolution of Privacy Requirements (R4) . . . 114

5.5.4.5 Specifying and enforcing privacy preferences (R5) . . . 115

5.6 Conclusion . . . 117

Chapter 6 Algorithm to Create Agreements between Context Producers and Context Con-sumers 119 6.1 Introduction . . . 119

6.2 Concepts and Assumptions . . . 120

6.3 MainMUCONTEXTContract Matching Algorithm . . . 120

6.4 Producer Requirements Validation Algorithm . . . 121

6.4.1 Formalization ofMUCONTEXTcontracts . . . 121

6.4.2 Producer requirement validation algorithm . . . 123

6.5 Consumer Requirement Validation Algorithm . . . 126

6.6 Clause Combination Algorithms . . . 127

6.6.1 Deny Overrides Algorithm . . . 127

6.6.2 Permit Overrides Algorithm . . . 127

6.7 Validation ofMUCONTEXTContract Matching Algorithms . . . 127

6.7.1 Experiment . . . 127

6.7.2 Experimental setup . . . 128

(21)

6.7.3.1 Correctness . . . 129

6.7.3.2 Efficiency . . . 138

6.8 Conclusion . . . 140

Chapter 7 Translation ofMUCONTEXTcontract into XACML 3.0 143 7.1 Introduction . . . 143

7.2 Global Translation Process . . . 144

7.3 Runtime Evaluation of aMUCONTEXTContract . . . 146

7.4 Translation Process . . . 147

7.4.1 Hierarchical Structure ofMUCONTEXTContract Meta-Models . . . 147

7.4.2 MuContext Contracts to XACML Categories, Attributes and Functions . . . 148

7.5 Translation Process Outcomes . . . 150

7.5.1 Consumer Context Request Outcome . . . 151

7.5.2 Producer Policy Set (Contract Header) Outcome . . . 151

7.5.3 Producer Policy (Clause Example) Outcome . . . 151

7.6 Translation Assessment . . . 152

(22)

Chapter 8 Conclusion and Perspectives 157

8.1 Conclusion . . . 157

8.2 Perspectives . . . 158

Appendices 161

Appendix A Publication List 163

A.1 Publications in journals, Conferences and Workshops . . . 163

A.2 Contributions to the INCOME Project . . . 164

Appendix B Extra-functional requirements to define Context Contracts 165

Appendix C Motivating Scenario Simulation 173

Appendix D Input and Output Data for each Test of Correctness 179

Appendix E XACML 3.0 Background 183

Appendix F MuContext Contracts to XACML Translation Tables 187

Appendix G MuContext Contract Translation into XACML 3.0 Examples 195

G.1 Consumer Request Example . . . 195

G.1.1 Description . . . 195

G.1.2 MuContext Contract Example . . . 196

G.1.3 Translation of the MuContext Contract into XACML . . . 198

G.2 Producer Policy Set (Contract Header) . . . 204

G.2.1 Description . . . 204

G.2.2 MuContext Contract Example . . . 204

G.2.3 Equivalent MuContext Contract in XACML . . . 206

G.3 Producer Policy (Clause Example) . . . 209

G.3.1 Description . . . 209

G.3.2 MuContext Contract Example . . . 209

(23)

Appendix H muContext Contract Full Listings 217

(24)

1.1 Distributed view of producers, consumers and contracts . . . 2

2.1 Applications domains and relevant major scenarios [Atzori et al., 2010] . . . 11

2.2 “IoT” paradigm as a result of the convergence of different visions.

[Atzori et al., 2010] . . . 12

2.3 QoCIM : QoC Information Model [Marie et al., 2013b] . . . 15

2.4 Trust Type Model [Neisse, 2012] . . . 18

2.5 Privacy Multiple Dimensions Diagram by [Clarke, 2013] . . . 20

2.6 Example of Data Privacy dimension levels [Barker et al., 2009] . . . 23

2.7 Meta-model Layers . . . 31

2.8 HTTP transaction with P3P . . . 33

2.9 The relationship between basic SAML Concepts [Ragouzis et al., 2008] . . . 34

2.10 Core XACML constructs and their interrelationships. [Rosenberg and Remy, 2004] . . . 36

3.1 SAML Obligation of Trust Model [Mbanaso et al., 2009] . . . 40

3.2 Example of a Service Provider (ITS) XACMLPrivacyAssertion [Mbanaso et al., 2009] . 41

3.3 Example of a Customer XACMLPrivacyAssertion [Mbanaso et al., 2009] . . . 41

3.4 The OoT Protocol Sketch [Mbanaso et al., 2009] . . . 42

3.5 PPL model of interaction [PrimeLife, 2010] . . . 43

3.6 PPL Schema [PrimeLife, 2010] . . . 44

3.7 UCPF model of interaction [Bagüés et al., 2010] . . . 46

3.8 UCPF policy language [Bagüés et al., 2010] . . . 46

3.9 UCPF Agreement negotiation [Bagüés et al., 2010] . . . 47

3.10 The family of Context-Based Access Control Models proposed by [Filho, 2010] . . . 49

3.11 SensorSafe Architecture [Chakraborty et al., 2011] . . . 52

3.12 Different data flow paths from provider to consumer. Data shared with (a) locally run-ning app (b) directly with cloud-hosted app (c) via trusted broker with cloud-hosted app. [Chakraborty et al., 2012] . . . 53

3.13 Roles In Context-Aware Platform [Neisse, 2012] . . . 55

4.1 Proposed IoT Architecture (general schema) . . . 67

(25)

4.3 MUCONTEXTContract Management Layer Architecture . . . 70

4.4 Local Advertisement and Global Subscription [Conan et al., 2013] . . . 73

4.5 MUCONTEXTContract Management Data-flow Diagram . . . 74

5.1 Considering Privacy and QoC requirements and guarantees in the Context Management Architecture (adapted from [Chabridon et al., 2013]) . . . 81

5.2 MuContext Contract Creation Process . . . 82

5.3 The two Types ofMUCONTEXTContracts . . . 82 5.4 Context Contract Dimensions . . . 84

5.5 Context Contract Meta-Model . . . 85

5.6 Clause Meta-Model . . . 86

5.7 Privacy Term Meta-Model . . . 89

5.8 QoC Requirement and Guarantee Meta-Model . . . 90

5.9 Integration of the clause model with QOCIM . . . 91

5.10 QoCIM based precision criterion model used as a context consumer clause . . . 92

5.11 Purpose Meta-Model . . . 93

5.12 Purpose Example Tree . . . 94

5.13 Visibility Meta-Model . . . 95

5.14 Visibility Tree Example . . . 96

5.15 Retention Meta-model . . . 97

5.16 Temporal Retention Example . . . 98

5.17 Retention Example Tree . . . 99

5.18 Sharing Location in a Social Bike System (Use Case Scenario) . . . 102

5.19 MUCONTEXTContract Model Editor . . . 103

5.20 ProducerMUCONTEXTContract Diagram - Context Situations . . . 104

5.21 ProducerMUCONTEXTContract Diagram - QoC Guarantee (Any QoC) . . . 106 5.22 ProducerMUCONTEXTContract Diagram - QoC Guarantee (very Low QoC) . . . 107

5.23 ProducerMUCONTEXTContract Diagram - QoC Guarantee (High QoC) . . . 108

5.24 Producer Contract - Privacy Requirement Example (part A) . . . 110

5.25 Producer Contract - Privacy Requirement Example (part B) . . . 111

5.26 Producer Contract - Privacy Requirement Example (part C) . . . 112

5.27 Stub Consumer Contract . . . 116

5.28 Stub Producer Contract . . . 117

6.1 MainMUCONTEXTContract Matching : Flow Chart . . . 122 6.2 Privacy Match Validation (pClause1Iteration) . . . 123

6.3 Privacy Match Validation (pClause2Iteration) . . . 124

6.4 Motivating example for Consumer Requirement Validation Algorithm, Paths 1 and 2 . . 130

6.5 Motivating example for Producer Requirement Validation Algorithm, Paths 3 and 4 . . . 131

6.6 Average execution time by path and number of clauses . . . 139

6.7 Average number of executions during 1 second by path and number of clauses. . . 140

(26)

7.4 muContext Contract Hierarchical Strucure . . . 147

7.5 Translation of aMUCONTEXTProducer Contract into XACML Policy Set . . . 148

7.6 Translation of aMUCONTEXTConsumer Contract into XACML Request . . . 149 C.1 GPS Location Simulation . . . 173

C.2 Evolution of the proximity of other users respects to David (Simulation) . . . 174

C.3 Different QoC delivered by David (Location obfuscation example) . . . 174

C.4 Distance calculation between David and Other End-users at minute 26 Diagram . . . 174

C.5 Distance calculation between David and Other End-users at minute 17 Diagram . . . 176

E.1 XACML PDP . . . 184

(27)
(28)

Introduction

Contents

1.1 Motivation and Problem Description . . . 1

1.2 Research Goal and Sub-Goals . . . 3

1.3 Approach . . . 4

1.4 Contributions . . . 4

1.5 Layout of the document . . . 6

1.1

Motivation and Problem Description

Day after day, the Internet is being extended with the interconnection of a big range of small devices (e.g., Sensors and smart objects) to build the Internet of Things (IoT) [Ma, 2011]. This enables everyday ob-jects to share information among themselves and/or with other systems, thus providing events occurring in a world wide network to applications. As a consequence, mobile applications become context-aware taking into account events occurring in the environment. With the IoT, many applications can consume context data concerning user activities, behaviours, daily routines, health and welfare, which brings a lot of possible benefits to the user. However, as pointed out by Buckley [Buckley, 2006], the IoT raises critical issues concerning privacy. Agre and Rotenberg [Agre and Rotenberg, 1998] define privacy as the power someone has over a piece of information that belongs to him or her. Concretely, we define privacy as the capacity of control about what, how, when, where and with whom to share information.

Figure 1.1 introduces the vocabulary used in this document. The Context owner, (i.e., a person, a group of persons, or an organization) is the entity having the capacity of decision and control about privacy rules over his/her/its context data. Software and hardware entities providing these context data are named Context producers. Entities that require context data, i.e., context-aware applications, are called Context consumers. Persons that access those applications are called Context end-users. The middleware between consumers and producers is the Context manager; it is in charge of allowing or denying access to context data autonomically to consumers with the appropriate level of Quality of Context (QoC), while preserving the privacy of the context owner.

(29)

Figure 1.1: Distributed view of producers, consumers and contracts

Taking into account QoC is essential for IoT applications for the following reasons: (i) The disparity and instability of the producers, (ii) Different ways to manage the information, (iii) Difficulties to recover the information. QoC management must therefore provide mechanisms to reduce the impact that all these situations can produce over the ambient services.

QoC is defined by a set of measurable quality criteria such as precision, error probability or fresh-ness [Buchholz et al., 2003]. Each context consumer has different requirements on each quality criteria according to its needs. Some context consumers require more precision, others more freshness, and so on. Through QoC, the worth of context data for a specific application is evaluated. For example, to take a decision or to guarantee an appropriate quality of service, a minimum level of QoC is required.

One of the main challenges of building trusted context-aware applications for the IoT is that context producers and context consumers are decoupled, i.e., they run on remote devices and are not aware of each other. Furthermore, in some cases, context owners want to remain anonymous to protect their privacy. It is therefore necessary to find a trade-off between the context owners’privacy requirements and the level of QoC required by applications. That is to say, how much QoC is enough to achieve the objective of an application without delivering the maximum available QoC so as to preserve privacy. However, limiting the QoC provided for privacy purpose is interesting, but not sufficient. To solve the trade-off between privacy and QoC, trust plays an important role. While tuning QoC for privacy, we are interested in determining if context owners trust context end-users, as well as, if context consumers trust the context data collected by context providers. The higher the level of trust between owners and consumers, the higher the level of QoC consumers will be allowed to get and the higher the quality and/or the performance of the applications.

A part of the problem is how to match producers’ restrictions in terms of privacy with consumers’ requirements in terms of QoC. Additionally, how to establish an agreement about which metrics must be

(30)

used to determine if privacy is respected and QoC is reached. It means that, at some point, users should be aware of how much privacy was actually respected and should be able to modify their requirements at runtime if necessary. Therefore, applications should promote their trustworthiness and should not ask for more than what they really need. How can users be sure that these applications are secure enough against privacy violations? How can they trust these applications? Transparency is the key; systems should provide clear mechanisms to watch what they are doing at runtime and an easy way to configure them. The issue is to find a mechanism where consumers and producers can reach an agreement about the amount of information needed to respect both privacy and usefulness of information.

We propose to answer this issue with contracts between consumers and producers that include clauses on privacy and QoC. The contract must define the conditions in which producers and consumers accept to share/receive data. From the producer point of view, the contract must help to define clearly the level of privacy protection required and, from the consumer point of view, the contract must express the QoC required for the proper functioning of applications. In operational terms, the consumer asks for a determined QoC in order to guarantee the system output and the producer decides to share its data or not depending on the trade-off in terms of privacy requirements. This type of contract is essential in the development of the IoT, since it enables producers to trust consumers and at the same time this will allow applications to be more efficient and produce assertive decisions based on data with a sufficient level of QoC.

1.2

Research Goal and Sub-Goals

This thesis has for ambition to provide meta-models to express the requirements in terms of QoC and privacy protection among the participants of the IoT as well as the matching algorithms to apply these meta-models through the different IoT context applications, for both the industry and the general public by addressing the main challenges mentioned earlier.

The main objective of this PhD thesis has been split into two sub-objectives, indicating the steps to be followed in this research:

1. To express a meta-model to define requirements and their variability, particularly concerning QoC and Privacy for the decoupled participants, context producers and context consumers, of the IoT.

When designing context-aware systems, developers must be able to express their contractual re-quirements in terms of their extra-functional properties for context information. Thus, IoT systems will be able to better manage their adaptations. The requirements must be able to vary during exe-cution under certain predefined conditions. Symmetrically, the context management system must identify the QoC information and privacy provided and / or used.

2. To design an algorithm to evaluate and compare the stated requirements against guarantees defined by the IoT participants to create agreements to share context information.

The matching process of the meta-model instances verifies if the requirements of one party are included in the guarantees offered by the other party. Thus, determining whether access and con-sumption are authorized or not, according to the matching process.

(31)

This thesis studies solutions in terms of, on the one hand, models with the design and the execution of ambient systems for taking into account extra-functional constraints, and on the other hand, mechanisms to evaluate the expressed requirements.

1.3

Approach

We first conducted a survey on the concepts of IoT, QoC, Trust, Privacy, Contract Formalization and Privacy Policy Languages. These concepts are the backbone of our thesis.

We then performed a study on privacy taxonomies and privacy protection criteria to identify the main characteristics, requirements and concepts involved in respecting privacy taking into account the constraints imposed by the IoT to determine the information required to design privacy contracts. Addi-tionally, based on these privacy protection criteria and some privacy protection mechanisms, we defined a list of criteria to compare previous works related to our investigation.

Furthermore, we identify existing suitable meta-models to be part of our meta-model solution, such as, QoC and trust models. Our final aim is to create a meta-model which includes all these elements together to define contracts to protect the privacy of IoT users.

To answer the thesis objectives presented in Section1.2, we propose the following approach:

Model Driven Engineering

The model driven engineering paradigm allows one to define specific meta-models. These meta-models allow then to design and develop models that will act both statically (design life cycle) and dynamically (runtime life cycle). Statically, the model ensures that contracts can be checked by the context manager in order to be used to generate composite objects which audit contracts. For example, one can determine statically freshness constraints that should be checked at runtime. Dynamically, the model ensures that contracts can evolve depending on the context information in order to be used to generate compositions of objects at runtime. For example, the freshness of information can be checked at runtime to fit the needs of context-aware applications.

1.4

Contributions

We propose context contracts compliant with the U.S. Privacy Act of 1974 and European laws concerning privacy [OECD, 1980,EU, 1995,EU, 2002].

We define two kinds of context contracts. Producer context contracts define clauses for the produc-tion of context data with privacy requirements (indicating the context owner demands before accepting to provide context data) and QoC guarantees (establishing the guarantees the producer is ready to fulfill with respect to QoC). Consumer context contracts define clauses for the consumption of context data with QoC requirements (establishing the QoC the consumer is expecting for running an application), and privacy guarantees (indicating the guarantees the consumer agrees on in order to protect the privacy of the context owner).

(32)

The solution presented in this thesis describes privacy and QoC meta-models to create rules for combining them. We create theMUCONTEXT Contract meta-model for context consumers and context producers in the course of the ANR INCOME project. The notion of contract increases the feeling of security and improves trust because it establishes clear limits of what one part expects and what it is willing to do for the other part. Our language is intended to be less wordy than current privacy policy languages preserving the required expressiveness. This is important because users can understand and easily set up how their information is used by IoT applications. These meta-models can be added to an already existing context management meta-model [Taconet et al., 2009].

As producers and consumers are decoupled, we create a symmetric MUCONTEXT contract meta-model for both of them. Such contracts allow both producers and consumers to use the same concepts to define their guarantees and requirements. Based on this, we design an algorithm to match the guarantees of ones with the requirements of the others to create agreements to access context data.

We define a translation process of ourMUCONTEXTContracts into the XACML language. Therefore, we can integrate ourMUCONTEXTContract meta-model and matching algorithm into existing or future IoT frameworks. We choose XACML because it possesses all the features to express the elements of ourMUCONTEXT Contracts and also for its popularity. More details on this decision can be found in Section2.7.

In order to validate theMUCONTEXT contract meta-model and matching algorithm, we designed a case study and implemented an XACML Policy Decision Point (PDP) to evaluate the translated contracts. The case study we propose, is split in mini-scenarios each corresponding to one of the identified re-quirements addressed by this thesis (See Section4.3). We illustrate why being aware of QoC is necessary to achieve the objectives of a system. That is how QoC affects privacy and in which cases trust helps to improve QoC. From this case study, we extract some examples of where the objectives of the applica-tion could not be reached due to poor QoC. Likewise, we show how increasing QoC could compromise privacy.

The proposedMUCONTEXTcontract meta-models are beneficial both: (1) for defining contracts, and (2)for automating the management of context delivery with appropriate QoC and privacy protection. Regarding the first benefit, contracts provide a guide to formulate and develop rules, constraints and mod-els relevant and useful for building context-aware applications, whereas context owners independently define, and then adapt their privacy rules. Regarding the second benefit, the producerMUCONTEXT con-tract are available at runtime and may be modified at anytime by context owners. Such concon-tract models offer a comprehensive approach to dynamically match QoC/privacy requirements and guarantees. Each half contract participates to an autonomic matching performed by a context manager. The matching takes into account dynamic facts concerning the current trust among producers, consumers, context data coming from the environment, and the organization of the participants. Considering privacy protection, guaranteeing the smooth operation of applications through QoC management will enable trust among IoT participants.

(33)

1.5

Layout of the document

After introducing the work of this thesis in this first chapter, this document is divided into two parts and a conclusion. The first part (Chapters 2 and 3) presents general concepts, fundamentals and state of the art related to IoT, QoC, Trust, Privacy. The second part (Chapters 4, 5, 6 and 7) of this work, presents our contributions related to QoC and privacy agreements between producers and consumers of data in the IoT. For this purpose, we propose a specific meta-model for the IoT and a middleware to match producer and consumer agreements.

This document is organized into 8 (eight) Chapters, including this introduction, as described below. • Chapter 2 presents a study and analysis of a set of key concepts (i.e., IoT, QoC, Trust and Privacy),

technologies (languages and frameworks), paradigms (notion of contract) and laws concerning the subject of this thesis. This chapter also presents the list of protection criteria we have selected to study related works.

• Chapter 3 studies several existing models and frameworks for privacy and QoC enforcement in the IoT. We specifically study if they consider the following issues identified for the IoT: the decoupling of producers and consumers, trust management and the handling of dynamic events. This chapter summarizes different works that have contributed to the definition of privacy and the identification of its different dimensions. As well, this chapter shows that some research works propose to include QoC and Privacy concerns into context-aware systems. Finally, the chapter shows the compliance of each proposed solution with the selected privacy protection criteria list introduced in Chapter 2.

• Chapter 4 presents an illustrative use case. From this use case, we extract requirements concerning the management of privacy and QoC in the IoT. We also introduce the proposed architecture for managing QoC and privacy agreements.

• Chapter 5 presents our contribution: MUCONTEXT contracts. We have followed a model-driven approach to formalize a standard representation to express the requirements and guarantees of both producers and consumers. Finally, this chapter describes the evaluation of theMUCONTEXT contracts following a qualitative approach.

• Chapter 6 introduces the matching process ofMUCONTEXTcontracts to create agreements nec-essary for sharing context data between producers and consumers.

• Chapter 7 presents the approach followed to translateMUCONTEXTcontracts into XACML poli-cies and requests. Through this approach, MUCONTEXT contracts may be handled using a well known standard for access control and privacy.

• Chapter 8 concludes the thesis by synthetising the contributions of our work, as well as exposing perspectives.

(34)

Fundamentals and State of the Art

on Privacy, QoC, Trust and contracts for

(35)
(36)

Fundamentals and Models of Privacy,

QoC, Trust and Contract for the IoT

Contents

2.1 Introduction . . . 10

2.2 Internet of Things (IoT) . . . 10

2.2.1 IoT Paradigm Vision . . . 11

2.2.2 Enabling Technologies . . . 12

2.2.3 Open Issues . . . 12

2.3 Quality of Context (QoC) . . . 13

2.3.1 QoC Definition . . . 13

2.3.2 QoCIM : A new QoC Meta-model . . . 13

2.4 Trust . . . 17

2.4.1 Trust Definition . . . 17

2.4.2 A Trust Meta-model . . . 18

2.5 Privacy and how to Protect it . . . 19

2.5.1 What Privacy Is Not . . . 19

2.5.2 Privacy Definition . . . 19

2.5.3 Privacy Taxonomy Background . . . 21

2.5.4 Privacy Protection Criteria . . . 25

2.5.5 Principles and Actions . . . 26

2.5.6 Proposed Privacy Protection Criteria List . . . 29

2.6 The Notion of Contract . . . 29

2.6.1 Contract Definition . . . 30

2.6.2 Contract Formalization . . . 30

2.7 Privacy Policy Languages . . . 32

(37)

2.7.2 EPAL - Enterprise Privacy Authorization Language . . . 33

2.7.3 SAML - Security Assertion Markup Language . . . 34

2.7.4 XACML - eXtensible Access Control Markup Language . . . 35

2.7.5 Conclusion . . . 36

2.8 Conclusion . . . 37

2.1

Introduction

This chapter presents a study and analysis of a set of key concepts, technologies, paradigms and laws in order to understand the subject of this thesis. In this path, several relevant research works were analyzed from the management of personal, sensitive information to the study of the different European privacy laws. They give us a guideline, even if they were not exactly tackling the same issue. Moreover, many technologies were studied during the development of this thesis. Next are presented those selected as the most suitable proposals to solve the problem. This chapter is organized as follows:

Section 2.2 presents the concept of IoT used in this thesis and positions our work within the IoT paradigm vision. The next section (2.3) introduces the concept of QoC considered in this thesis. Besides, it presents the meta-model chosen to represent the QoC. Section2.4presents the concept of Trust used in this thesis. Furthermore, it shows the meta-model chosen to represent the Trust in our solution. Section

2.5clarifies what is privacy in the frame of this thesis and describes the main dimensions that compose privacy. It also discusses some protection criteria that can be used to protect privacy. Section2.6explains the notion of contract by making an analogy with real life contracts. Furthermore, it presents the model-driven approach followed to formalize the contracts. Section 2.7 focuses on suitable languages and frameworks for the definition of privacy policies in order to choose a suitable language to represent context contracts.

2.2

Internet of Things (IoT)

The Internet of Things (IoT) is a novel paradigm that is rapidly gaining ground in the scenario of modern wireless telecommunications. The basic idea of this concept is the pervasive presence around us of a variety of things or objects, such as Radio-Frequency IDentification (RFID) tags, sensors, actuators, mobile phones, which are able to interact with each other and cooperate with their neighbors to reach common goals [Giusto et al., 2010].

In fact, IoT semantically means “a world-wide network of interconnected objects uniquely address-able, based on standard communication protocols” [INFSO, 2008]. This implies that a huge number of (heterogeneous) objects are involved in the process.

Many are the domains and the environments in which new IoT applications would likely improve the quality of our lives, for example: transportation and logistics domain, health care domain, smart environment (home, office, plant) domain, personal and social domain. Figure2.1presents some of the potential applications among the inconceivable number of solutions that can provide the IoT.

(38)

Figure 2.1: Applications domains and relevant major scenarios [Atzori et al., 2010]

[Atzori et al., 2010] conducted a survey on the IoT paradigm, which describes the different visions that the research community has about an IoT definition. They identify the technologies that enable the IoT, and describe the remaining open issues. In this section, we connect these aspects with the subject of our work.

2.2.1 IoT Paradigm Vision

The IoT paradigm is the result of the convergence of the three main visions “Things oriented”, “Semantic oriented” and “Internet oriented”, according to [Atzori et al., 2010]. Figure 2.2 shows these visions, highlighting and classifying with reference to the IoT the technologies and standards that they contribute to characterize.

The subject of this thesis lies within the “semantic-oriented” IoT vision. The idea behind this vision is that the number of items involved in the Future Internet is destined to become extremely high. Therefore, issues related to how to represent, store, interconnect, search, organize, and share information generated by the IoT will become very challenging [Atzori et al., 2010]. Another aspect to take into account is the security. Traditional security goals like confidentiality, availability, reliability, integrity, accountability, responsibility, do not cover all the needs and threats of the IoT. In this context, semantic technologies play a key role. In fact, they can exploit appropriate modeling solutions for integrating privacy and security into the IoT. The major implication of pervasive systems on security is the risk and negative consequences for the privacy of its users. For that, it is important to include privacy from the design of such systems. The privacy problem is the main concern of our contribution.

(39)

Figure 2.2: “IoT” paradigm as a result of the convergence of different visions. [Atzori et al., 2010]

2.2.2 Enabling Technologies

The most relevant technologies that make the IoT possible as identified by [Atzori et al., 2010] are “Iden-tification, sensing and communication technologies” and “Middleware”. In the context of this disserta-tion, we are interested in exploring middleware solutions to integrate the management of privacy and QoC in the IoT.

A middleware is a software application that provides core services like concurrency, transactions, messaging, security. The middleware can be composed of one layer or a set of sub-layers interposed between a technology and the application level. The middleware allows programmers to focus on their specific purpose, which is the development of a specific application enabled by the IoT infrastructure. The middleware does the heavy lifting by hiding the details of the different technologies implied in the IoT.

The middleware is most commonly used as software that enables communication and management of data in distributed applications. Moreover, it is gaining more and more importance in the last years due to its major role in simplifying the development of new services and the integration of legacy technologies into new ones.

[Katasonov et al., 2008] describes a solution to meet the middleware needs for the domain of the IoT. They believe that the development of a new generation of middleware platform will allow the cre-ation of self-managed complex systems, consisting of distributed, heterogeneous, shared and reusable components of different nature.

2.2.3 Open Issues

A large research effort is still required, even if the IoT becomes feasible thanks to the already existing enabling technologies. [Atzori et al., 2010] describes the problems related to standardization activity,

(40)

addressing and networking issues, security and privacy. We focus our research on privacy protection and intend to limit a potential performance degradation of applications accessing the IoT.

People will resist to the IoT as long as they have no strong confidence that it will not cause serious threats to their privacy. The main issue related to privacy comes from the ease with which a lot of private data about a person can be collected without the person being even aware of it. The control of the diffusion of such data is impossible with current techniques.

In the next sections, we first consider the notions of QoC and trust respectively in Section2.3and Section2.4. We will then address the concept of privacy later in Section2.5.

2.3

Quality of Context (QoC)

Prior to defining the notion of QoC, it is important to make a clarification regarding context data and context information concepts. In this manuscript, both terms are used with the same meaning as in the domain of information management where data are considered as plain facts. Only when it is relevant, a distinction between data and information will be made. Context data represent useful raw data that have been acquired by a context-aware application through sensing, observing, or measuring some facts. Context information is obtained from context data that have been processed, organized, or structured in order to provide meaningful information that applications are able to interpret [Arcangeli et al., 2012].

2.3.1 QoC Definition

QoC is related to any inherent information that describes context information and can be used to deter-mine the worth of the information for a specific application [Buchholz et al., 2003]. QoC specializes the general notion of Quality of Information (QoI) for context information.

Context-aware applications and services expect correct and reliable context data to adapt their func-tionalities [Filho, 2010]. Karen Henrickson et al. have determined imperfection as a characteristic of context information: “Information may be incorrect if it fails to reflect the true state of the world it mod-els, inconsistent if it contains contradictory information, or incomplete if some aspects of the context are not known.”[Henricksen et al., 2002]. Later on, they consider that ...context models will need to specify a range of characteristics of context information. . .[Indulska et al., 2003]

Therefore, several research teams ([Hönle et al., 2005], [Zimmer et al., 2006]) have proposed to at-tach metadata to context information representing its quality. These metadata allow the improvement of the operational value of the context.

Summarizing, in this thesis the QoC corresponds to meta-data attached to context data describing a range of criteria that express context quality. These meta-data can be used to determine the worth of context information for a particular application in a particular situation.

2.3.2 QoCIM : A new QoC Meta-model

[Marie et al., 2013b] has conducted a rigorous study of several works that address QoC modelling and management. Table2.1summarizes the models they studied to conclude that none of them can easily

(41)

provide without adaptation the three necessary properties that they identify for an information model for QoC namely expressiveness, genericity and computability.

Model→

OGC IoT-A COSMOS CIM OMG

↓Wished property

Expressiveness X X

Computability X X X

Genericity X X

Table 2.1: Summary of the studied models [Marie et al., 2013b]

Additionally, [Marie et al., 2013b] analyzed and compared different proposals of QoC criteria lists defined by different authors. Their analysis explicitly demonstrates the existence of divergences and concludes on the difficulty to converge to a unique and exhaustive QoC criteria list. Table2.2highlights their conclusions showing that there is no consensus about which QoC criteria have to be used to measure the QoC of context information. Moreover, the table provides a way to compare different lists of QoC criteria. This makes possible to compare new specific lists among them. Indeed, with the development of context-aware applications, new high level criteria could appear and Table2.2 provides a method to organize and combine lists of QoC criteria.

Facing this situation, Marie et al. [Marie et al., 2013b] propose the meta-model, QOCIM depicted in Figure2.3. QOCIM is dedicated to exploit and to manipulate any QoC criterion within context managers and context-aware applications.

The three main advantages of QOCIM model according to its authors are: (i) It is not dependent on any QoC criterion. (ii) It offers a unified solution to model, at design time, heterogeneous QoC criteria. (iii)The models based on QOCIM could be used, at runtime, by both context managers and context-aware applications, for dynamic valuation of the QoC. Thanks to these three characteristics the QOCIM model fits perfectly our needs. Therefore, we decide to integrate QOCIM as part of our solution to model contracts.

(42)

QoCIndicator id : EInt QoCCriterion id : EString Description name : EString keywords : EString informalDenition : EString QoCMetricDenition id : EString isInvariant : EBoolean unit : EString direction : Order providerUri : EString minValue : EInt maxValue : EInt QoCMetricValue id : EInt value : EInt creationDate : EDate <<enumeration>> Order INF SUP UNDEF ContextInformation uri : EString value : EInt has 0..* isDenedBy 1 contains 1..* value 0..* primitiveDenition 0..* 0..* isDescribedBy 0..1 denition 0..1 isQualiedBy 0..* compositeDenition

(43)

Chronological order Criterion Reference [Buchholz et al., 2003] [Kim and Lee, 2006] [Sheikh et al., 2007] [Filho, 2010] [Manzoor et al., 2012] [Neisse, 2012] 1 Probability context is correct, free of errors

Correctness Accuracy Precision Accuracy Precision

2

Max. distance for sensor to get

context

Sensor range 3 Location of the

real world entity

Entity location 4 Location of the sensor Sensor location 5 Period between two collections of context Temporal

resolution X Time period 6 Date of collection of context X X X X Measurement time Timestamps 7 Granularity location of context Spatial resolution Resolution Abstraction order 8 Rate the confidence of the provider Trust worthiness 9 Critical value of context Significance 10 Granularity (detail level) of context

Precision Precision Sensitiveness Usability

11 Context consumer have access to context X Access right 12 Context transfers restricted and secured Access security (11) Access security 13 Format coherence with consumer needs Consistency Consistency 14 All aspects of entity are available

Resolution Completeness Completeness Completeness

15 Believe in the correctness of context Correctness Reliability (1,2,3,4) 16 Validity of context depending on freshness Up to dateness (6) Up to dateness (6) Freshness (6) Up to dateness (5,6) Timeliness (5,6)

Name Criterion (name + meaning) only defined by one author Meaning Meaning defined by all authors Name Name defined by different authors for different meanings Name Name only defined by one author Name Name defined by different authors for the same meaning Name (X) The definition of this criterion

depends on theXcriterion X Criterion not defined by author but another criterion depends on it

(44)

2.4

Trust

On the Internet in general, trust is an essential factor in the success of websites, systems and services. If an end-user feels confident in a system/service or in the intermediary through which he/she reaches that system/service, this indicates that it is likely that this person agrees to disclose personal or private information such as medical data, credit cards numbers. He/she will feel protected and knows that on the other side, everything is prepared to prevent any leak of information that he/she does not want to reveal. Taking the example of the Amazon.com web site, though which most people buy to sellers they do not know. However, given the general trust in that website, they do these purchases relying on the assumption that Amazon.com will protect their personal data and will take appropriate measures if any problem happens.

In the IoT, trust must be even more present in systems and services. If a large number of objects around us are collecting information about everyone and people do not trust that system or service, this may cause feelings such as, persecution, being watched, privation of freedom. Such lack of trust may cause the repudiation of these sensors and systems by users.

2.4.1 Trust Definition

Different authors have defined Trust considering all the perspectives required to obtain a faithful compu-tational trust value. The three most representative definitions which complement each other are

[Gambetta, 2000], [McKnight and Chervany, 1996], [Grandison and Sloman, 2000]. Combining these definitions, we propose the following concept of trust:

Trust is a subjective probability by which an individual, A (trustor), expects or believes that another individual, B (trustee), performs a given action dependably, securely, and reliably in a given situation within a specified context with a feeling of relative security, even though negative consequences are possible.

Trust is a key underlying element of any transactional activity. It characterizes the "bond" and "com-fort" that the transacting parties share amongst themselves and impacts the utility of their mutual activi-ties. In pervasive applications, transactional activities will typically involve the exchange of information between parties.

[INCOME, 2013a] presents trust as the cornerstone between privacy and QoC. It concludes that, both QoC and privacy are related to the notion of trust, but from two different perspectives.

• From the context producers point of view, “priority must be given to the respect of the privacy of the context owners. If a context consumer is not trustworthy, a strict privacy is desired.”

• From the context consumer point of view, “a context information of high quality is expected to ease the decision making process from the point of view of the context consumer.”

Trust is critical in the large-scale, open distributed pervasive systems considered here, enabling in-teractions between parties in uncertain and constantly changing environments. The verb "believe" in the definition above will allow us in the future to exploit both probabilistic and logic-based techniques.

(45)

2.4.2 A Trust Meta-model

[Neisse, 2012] fomalizes trust as the measurement of the belief from a trusting party point of view (trustor) with respect to a trusted party (trustee) focused on a specific aspect that possibly implies a benefit or a risk. And, the term trustworthiness refers to the amount, measurement, or degree of trust in a trust relationship.[Neisse, 2012] did not find in the literature an appropriate trust management model that combines multiple trust aspects as required by the context-aware computing domain. All other existing solutions refer to a specific domain and are not easily portable to another domain.

Figure 2.4 depicts the trust meta model proposed by [Neisse, 2012] showing how the concept of “Trust Belief” is related to the social trust concepts of “System Trust”, “Dispositional Trust” and “Situa-tional Trust”

Figure 2.4: Trust Type Model [Neisse, 2012]

The concept of “Dispositional trust” is the intrinsic/inherited disposition of an entity to trust any other given entity in the absence of evidence or previous experiences. The concept of “System Trust” is the impersonal trust perception an entity has regarding the set of regulations and safeguards of the system as a whole.

The advantages that make us consider this trust model as part of our solution are the following: (i) It is extensible. It was designed to support (ii) context-aware services users and consumer services focusing on trust aspects related to identity provisioning, (iii) privacy enforcement, (iv) context information pro-visioning and (v) context-aware service propro-visioning. Therefore, we decide to integrate this trust model as part of our solution to model contracts to define the agreements between producers and consumers.

Figure

Figure 1.1: Distributed view of producers, consumers and contracts
Figure 2.1: Applications domains and relevant major scenarios [Atzori et al., 2010]
Figure 2.2: “IoT” paradigm as a result of the convergence of different visions. [Atzori et al., 2010]
Figure 2.4 depicts the trust meta model proposed by [Neisse, 2012] showing how the concept of
+7

Références

Documents relatifs

Considering that the adver- sary has considerably more computational power than users, but still limited, we model a sophisticated attack with machine learning techniques on

Rational and context-free trace languages can be defined as in the case of free monoids and their main properties are well-known (see, for instance, [16, 6, 5, 14, 1]). In

Inspired from the fact that nonlinear time-varying feedback gains lead to improved performance, we propose in this work to revisit DCAL control scheme by replacing the constant

surroundings. In [7], authors proposed a privacy-aware solution where the privacy value denotes how much the user is willing to share the related information with other actors in the

We then propose a multi-level, multi-dimensional and domain-independent context meta-model to help WoT applications identify, organize and reason about context information..

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des

These RPL-based networks may be exposed to a large variety of attacks [2], but the deployment of security mechanisms may also be quite expensive in terms of resources.. In that